Posted on Leave a comment

1900 Plus Exchange Servers Under Active Attack.

Researchers from Huntress have observed that the exchange servers are being compromised by hackers for the past two days for not patching the three vulnerabilities clubbed under ProxyShell.

ProxyShell is the collection of below listed 3 vulnerabilities impacting Microsoft’s Exchange server attacks which was discovered by researcher from Orange Tsai(@orange_8361) from DEVCORE Research Team .

  • CVE-2021-34473 – Remote code execution on the affected system.
  • CVE-2021-34523– Microsoft Exchange Server Elevation of Privilege Vulnerability.
  • CVE-2021-31207– Microsoft Exchange Server Security Feature Bypass Vulnerability.

Interestingly Orange Tsai has won $200,000 for the ProxyShell exploit in Pwn2Own 2021 hacking contest.

On August 8, ISC SANS has performed a scan for ProxyShell vulnerabilities on exchange server on internet and identified that 30,400 servers are still vulnerable for the attack. Interestingly, two security researchers named Rich Warren and Kevin Beaumont took to twitter about actual webshell attacks observed on their honey pots.

“Keep your Exchange servers safe this weekend. @HuntressLabs has seen 140+ webshells across 1900+ unpatched boxes in 48hrs. Impacted orgs thus far include building mfgs, seafood processors, industrial machinery, auto repair shops, a small residential airport and more” stated by Huntress.

One of the worrying thing is that the threat actors posted around 1,00,000 Exchange servers exposed to internet in a Russian hacking forum which can additionally increase the attacks.

Source: TheRecord

Indicators of Compromise of Web Shells:

C:\inetpub\wwwroot\aspnet_client\HWTJQDMFVMPOON.aspx
C:\inetpub\wwwroot\aspnet_client\VJRFWFCHRULT.aspx
C:\inetpub\wwwroot\aspnet_client\error.aspx
D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\HWTJQDMFVMPOON.aspx
C:\inetpub\wwwroot\aspnet_client\nhmxea.aspx.aspx
C:\inetpub\wwwroot\aspnet_client\supp0rt.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\d62ffcd688.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\zaivc.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\415cc41ac1.aspx
C:\inetpub\wwwroot\aspnet_client\253283293.aspx
C:\inetpub\wwwroot\aspnet_client\ykmsr.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\6514f55e1a.aspx
C:\inetpub\wwwroot\aspnet_client\KDNLIE.aspx
C:\inetpub\wwwroot\aspnet_client\VOLWMFQWPP.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\VOLWMFQWPP.aspx
C:\inetpub\wwwroot\aspnet_client\system_web\NUQvLIoq.aspx
C:\inetpub\wwwroot\aspnet_client\shell.aspx
C:\inetpub\wwwroot\aspnet_client\updateServer.aspx

Source: Huntress.

–-For more Cyber security write-ups in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply